About this release

Thank you for using this McAfee product. This document contains important information about the current release. We strongly recommend that you read the entire document.

Purpose

This release of McAfee®VirusScan® Enterprise 8.8.0 contains a variety of improvements and fixes.

Although McAfee has thoroughly tested this release, we strongly recommend that you verify this update in test and pilot groups prior to mass deployment. Review the New features, Resolved issues, and Known issues sections for additional information.

Important

Patch 4 is the last release of VirusScan Enterprise 8.8 to support Windows 2000.

For a list of supported environments and latest information for VirusScan Enterprise 8.8.0 on Microsoft Windows, see KnowledgeBase article KB51111.

Access Protection process inclusion and exclusion limits and behavior

Expands Processes to include and Processes to exclude fields to a maximum of 5199 characters.

•

Warns when the number of characters in the field is within 200 characters of the maximum character limit.

•

Prevents these fields from exceeding the maximum character limit.

ScriptScan browser support

ScriptScan now supports:

•

Internet Explorer 10

•

Internet Explorer 11

Note

With Internet Explorer 11, Enhanced Protection Mode (EPM) might display an erroneous error message that ScriptProxy is disabled. However, ScriptScan is still scanning.

To investigate ScriptScan performance issues, you must disable EPM.

Note

ScriptScan does not support Mozilla Firefox browsers. Firefox blocks the ScriptScan DLLs from loading.

Updated components

This release includes updated versions of the following components.

Component

Version

Notes

Engine

5600

McAfee Agent

4.8.0.887

VSCore

15.1

This version of VSCore allows VirusScan Enterprise to install on systems with expired certificates.

VSCAN.BOF

659

New features — Windows 8 and Server 2012 systems

This release includes support for Windows 8.1 (Blue) and Server 2012 R2 systems.

Note

Patch 3 included additional features for supported Windows systems.

New features — other supported Windows systems

This release includes these new features for supported Windows systems other than Windows 8 and Server 2012.

Note

These features were supported in Patch 3 for Windows 8 and Server 2012 systems only.

Connected standby mode

This release of VirusScan Enterprise provides support for systems in connected standby mode (also called Always On Always Connected or AOAC).

Note

AOAC mode is only supported on Windows 8 systems with hardware chips that support AOAC.

•

AOAC suspended mode

When the system is in AOAC suspended mode, VirusScan Enterprise does not perform scans or DAT updates. If an on-demand scan (ODS) starts before the system hibernates in AOAC or battery mode, the ODS pauses. If Run missed tasks option is selected, any missed ODS scans run immediately when the system wakes from suspended mode.

•

User present mode

When a user is present (keyboard and/or mouse interaction within 5 minutes), VirusScan Enterprise performs any on-demand scans and DAT updates as specified by the schedule.

Artemis (GTI) sensitivity level is now set to Medium by default for new installations only (not upgrades).

Note

Client task settings in McAfee ePO override this default.

Sensitivity level on the On-Demand Scan Properties | Performance tab

Sensitivity level on the On-Demand Scan Client Task | Performance tab

Registry settings changes

New or changed setting

Registry entries

DWORD default value

Delayed Write Scan mode is now enabled by default.

This mode delays all scans of modified files to lower priority background threads. This improves performance for processes that write data to disk frequently and/or write a lot of data in a short amount of time.

Resolution — Fixed the path comparison when the exclusion list includes items in a combination of file names with no extensions, path names, and wildcards.

11

Issue — The Outlook On-Demand scanner skipped scanning some items in PST files over 1GB when new mail activity was received. (Reference: 832626)

Resolution — The Outlook On-Demand Scan no longer counts incoming mail as part of storage scan.

12

Issue — If the system has multiple network adapters and Receive Side Scaling enabled, the server could accumulate an unlimited backlog of uncompleted UDP I/O, possibly exhausting memory. (Reference: 835879, 847944)

Issue — In the ePolicy Orchestrator console, administrators reaching the text box limits for Access Protection policies: Rule Inclusions and Rule Exclusions fields were not warned before the limit was exceeded. (Reference: 835948)

Resolution — Increased text box sizes to allow over 5000 characters. In addition, ePolicy Orchestrator displays red warning text when fewer than 200 character spaces are available and again when fewer than 50 characters spaces are available.

Resolution — The number of files in the scanner queue is now limited to 100, preventing the On-Demand Scanner memory from growing too large.

2

Issue — In an IPv6 environment, when a VirusScan Enterprise client sends an event with IPv6 information, the Threat Event log shows the IPv6 address as a string value instead of the original IPv6 address format. (Reference: 716512).

Issue — McAfee ePolicy Orchestrator queries using pie charts that group by VirusScan Enterprise version numbers display the client numbers accurately in the chart. However, when you drill down into one chart group, the filter is not applied and both workstations and servers are displayed. (Reference: 739627)

Resolution — VirusScan Enterprise 8.8.0 Patch 3 and later clients now report a new Machine Type property that classifies the client systems as Workstation or Server. Use this property in queries to filter against workstations or servers.

Issue — When a VirusScan Enterprise patch update is applied, the update would "succeed" and appear to be at the correct patch level even if a file was missing or corrupted in the repository. (Reference: 629564)

Resolution — A missing or corrupt patch file in the repository now causes VirusScan Enterprise updates to fail.

Note

You must still manually fix the issue with the repository before the update can be successful.

Issue — The Reports Extension might fail to check into the repository if the default group for the queries already exist. (Reference: 670759)

Resolution — All queries now include a group reference so they do not try to recreate the default group.

5

Issue — A STOP error (Bugcheck 7f) could occur with the McAfee filter driver due to lost content header information when transmitting through a raw socket on Windows 7. This issue was seen with some third-party VPN clients. (Reference: 682177)

Resolution — The McAfee filter driver now ensures header information is preserved and forwarded through a raw socket.

Resolution — The API to set processor group affinity is now called correctly.

7

Issue — When a McAfee driver queried for the engine version, the return value was a non-empty string if a version was not found in the registry. (Reference: 689986)

Resolution — The return value has been updated to send an empty string if no engine version is found.

8

Issue — During an On-Demand Scan, the user was able to stop or cancel the scan, regardless of configured settings, by clicking the scan task in the console and selecting Show Progress. (Reference: 694042)

Issue — Under low memory conditions, a STOP error (Bugcheck 8E) could occur due to failure with allocated memory from the system pool. (Reference: 727788)

Resolution — VirusScan Enterprise no longer causes a STOP error due to a memory allocation failure.

19

Issue — Some core files could fail to upgrade with VirusScan Enterprise 8.8.0 causing the installer to remove the core files from the system instead of reverting back to the previous state.(Reference: 730735)

Resolution — The installer now ensures the core files will not be removed from the system after a failed upgrade.

20

Issue — Some event XML data included empty strings, which are not honored by the event parser. (Reference: 732299)

Resolution — Empty strings are now accepted for the following fields in the XML events:

•

FileName and VirusType for Detection events

•

ProcessName for PortBlock events

21

Issue — ScriptScan URL exclusions did not allow several special characters, including '/', in the ePolicy OrchestratorVirusScan Enterprise policy settings. (Reference: 733717)

Resolution — ScriptScan URL exclusions with now will not allow only '*' and '?' as originally intended.

Resolution — Access Protection was modified to remove the incompatibility.

27

Issue — Attempting a remote connection to the SAP server using the WebIRichClient with On-Access Scanner enabled prevented the system from connecting and caused the WebIRichClient software to become non-responsive. (Reference: 741714)

Resolution — The file filter was revised to temporarily delay a scan if a file had been modified under conditions that could block concurrent access through the file system.

28

Issue — The McAfee McShield service could encounter a dead-lock situation in an internal utility routine when processing scans of modified files. In this case, the McShield internal dead-lock watchdog timer fires and the McShield service stops. (Reference: 754042)

Issue — When running an On-Demand scan on disk volumes where Update Sequence Number (USN) journals are not enabled, the last access time of the corresponding files might be updated. (Reference: 756797)

Issue — If a file was cached as clean and then later added to the User Defined Detections (UDD) in the Registry, the file is not detected by the On-Access Scanner until the service restarts. (Reference: 762155)

Resolution — On-Access Scanner resets the cache so when the file is added to UDD it will now be detected.

Issue — The REBOOT=A option to SetupVSE.exe did not reboot the system if launched from a scheduled task. (Reference: 717989)

Resolution — SetupVSE.exe now enforces the REBOOT=A option, even if the user is not logged on interactively.

3

Issue — When upgrading from VirusScan Enterprise 8.5.0 to VirusScan Enterprise 8.8.0, an outdated driver was left installed. In some instances, the old driver remained loaded in memory. (Reference: 741085)

Resolution — The installer now removes the outdated driver. A system reboot might be required to remove the driver from memory and load the correct driver. The installer does not force a reboot.

Issues resolved in Patch 1

These issues were resolved in the VirusScan Enterprise Patch 1 release.

Patch

1

Issue — Installation fails with ERROR 1920, citing The McShield Service failed to start. This can occur when Microsoft Windows is installed to a sub-folder rather than the root. (Reference: 638858)

Resolution — The system core installer has been revised to recognize all system paths.

Issue — Files on network locations might trigger an unhandled exception leading to a system crash if the network experiences a failure or the object is unreadable. One report of this occurred when opening Outlook 2010 with PST files configured to reside on remote storage. (Reference: 660014, 663389, 665822, 667934)

Resolution — The McAfee Agent is no longer blocked when trying to set folder permissions.

17

Issue — A defect in the matching engine prevents the deletion of folder names that are a substring of “Program Files”, such as “c:\pro” or “c:\prog”. (Reference: 685273)

Resolution — The matching engine now only matches complete folder names, so deleting “Program Files” is prevented, but deleting “C:\pro”, “c:\prog”, or other substrings is allowed.

18

Issue — An issue in the clean-file scan cache logic was identified on systems supporting the Server Message Block 2 (SMB2) protocol that could allow files to be written to a share and not be scanned. (Reference: 686645, 686650, 690277)

Resolution — When On-Access Scanner tries to scan a share file and the scan does not succeed, the scanner now returns an OPLOCK error to McShield. McShield returns NOTSCANNED status to the driver and the file is not added to the cache, causing the file to be scanned when accessed.

Resolution — VirusScan Enterprise now obtains the current time before generating On-Demand Scan cleanup events.

Repost Patch

1

Issue — When installing VirusScan Enterprise, the installer checks for the existence of UNC paths in the PATH environment variable. If found, VirusScan Enterprise will block the installation because of an issue with McShield. (Reference: 657079, 657651)

Resolution — SetupVSE.exe now includes a bypass flag that allows the installation to continue on machines with UNC paths in their PATH environment variable.

2

Issue — When upgrading from VirusScan Enterprise 8.7i to VirusScan Enterprise 8.8, the Access Protection rules from an older version (8.7) of the product were used. (Reference: 659049)

Verify the client installation

Reboot the client system prior to validating that the installation is successfully installed.

Task

•

Check any of the following items:

•

After the ePolicy Orchestrator agent collects property information, the client system details display the HotFix/Patch version.

•

On the client system, check for a registry key entry Patch_4 in HKey_Local_Machine\Software\McAfee\DesktopProtection.

Note

On a 64-bit system, this entry might be located in HKey_Local_Machine\Software\Wow6432Node\McAfee\DesktopProtection.

•

Confirm that the expected files are installed by checking the version number of individual files. File versions should match the list of files in File inventory section.

Note

Releases are not displayed or do not report installed if an error occurred during installation, or if a file did not install correctly.

File inventory

File name

Version (x64/x86)

File name

Version (x64/x86)

File name

Version (x64/x86)

mfevtps.exe

15.1.0.656

adslokuu.dll

15.1.0.543

BBCpl.dll

8.8.0.1247

mfeapconfig.dll

15.1.0.656

csscan.exe

15.1.0.543

condl.dll

8.8.0.1247

mfeapfa.dll

15.1.0.656

dainstall.exe

15.1.0.543

consl.dll

8.8.0.1247

mfeapfk.sys

15.1.0.656

entvutil.exe

15.1.0.543

graphics.dll

8.8.0.1247

mfeavfa.dll

15.1.0.656

ftl.dll

15.1.0.543

mapprem.dll

8.8.0.1247

mfeavfk.sys

15.1.0.656

lockdown.dll

15.1.0.543

mmalnot.dll

8.8.0.1247

mfebopa.dll

15.1.0.656

mcshield.dll

15.1.0.543

naiann.dll

8.8.0.1247

mfebopk.sys

15.1.0.656

mcshield.exe

15.1.0.543

NCDaemon.exe

8.8.0.1247

mfeclnk.sys

15.1.0.656

mcvssnmp.dll

15.1.0.543

NCExtMgr.dll

8.8.0.1247

mfeelam.dll

15.1.0.656

mfeann.exe

15.1.0.543

NCInstall.exe

8.8.0.1247

mfeelamk.sys

15.1.0.656

MfeOtlkAddin.dll

15.1.0.543

NCMenu.dll

8.8.0.1247

mfehida.dll

15.1.0.656

mytilus3.dll

15.1.0.543

NCScan.dll

8.8.0.1247

mfehidin.exe

15.1.0.656

mytilus3_server.dll

15.1.0.543

NCTrace.dll

8.8.0.1247

mfehidk.sys

15.1.0.656

mytilus3_worker.dll

15.1.0.543

odspause.dll

8.8.0.1247

mfehidk_messages.dll

15.1.0.656

naevent.dll

15.1.0.543

shcfg32.exe

8.8.0.1247

mferkda.dll

15.1.0.656

naievent.dll

15.1.0.543

shstat.dll

8.8.0.1247

mferkdet.sys

15.1.0.656

OtlkScan.dll

15.1.0.543

shstat.exe

8.8.0.1247

mfetdi2k.sys

15.1.0.656

OtlkUI.xxx.dll

15.1.0.543

shutil.dll

8.8.0.1247

mfevtpa.dll

15.1.0.656

scriptff.dll

15.1.0.543

vsodscpl.dll

8.8.0.1247

mfewfpk.sys

15.1.0.656

scriptsn.xxx.dll

15.1.0.543

vsplugin.dll

8.8.0.1247

mscan32.dll

5.600.0.1067

RkScan.dll

1.0.0.231

VsTskMgr.exe

8.8.0.1247

Mscan64a.dll

5.600.0.1067

VSCAN.BOF

659

wscavexe.exe

8.8.0.1247

wscav.dll

8.8.0.1247

Remove installation files

Remove the patch installation files using Add/Remove Programs.

For information on removing the VirusScan Enterprise product, see the VirusScan Enterprise Installation Guide.

Important

Removing the patch from a client system places the client system in an unsupported state. See Known issues for further details.

Task

1

To remove the patch manually, use Add/Remove Programs. (You must have administrative rights to the local system.)

All features affected by the patch are reset to installation defaults. Any features not modified by the patch are left with their current settings.

2

Update VirusScan Enterprise after removing the patch to ensure that VirusScan Enterprise is running the latest version of the engine and DAT files.

Known issues

For a list of known issues in this product release, see this McAfee KnowledgeBase article: KB78495.

Find product documentation

McAfee provides the information you need during each phase of product implementation, from installation to daily use and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase.

McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others.